search

Netflix-Skunkworks / spectatord

A high performance metrics daemon
Apache License 2.0
24 stars 5 forks source link

Upgrade to libcurl >= 8.4.0 #72

Closed copperlight closed 3 months ago

copperlight commented 11 months ago

https://github.com/curl/curl/discussions/12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time.

The new version and details about the two CVEs will be published around 06:00 UTC on the release day.

CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool) CVE-2023-38546: severity LOW (affects libcurl only, not the tool)

There is no API nor ABI change in the coming curl release.

I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The "last several years" of versions is as specific as I can get.

We have notified the distros mailing list allowing the member distributions to prepare patches. (No one else gets details about these problems before October 11 without a support contract and a good reason.)

Now you know. Plan accordingly.

copperlight commented 11 months ago

Since we use Conan, we'll have to wait for the new release to percolate through, sometime after Oct 11 - hopefully it is quick. Version 8.2.1 is currently the latest available recipe.

https://conan.io/center/recipes/libcurl?version=8.2.1

copperlight commented 11 months ago

https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/

An attacker that controls an HTTPS server that a libcurl using client accesses over a SOCKS5 proxy (using the proxy-resolver-mode) can make it return a crafted redirect to the application via a HTTP 30x response.

If the libcurl using client has automatic redirect-following enabled, and the SOCKS5 proxy is “slow enough” to trigger the local variable bug, it will copy the crafted host name into the too small allocated buffer and into the adjacent heap memory.

A heap buffer overflow has then occurred.

Since we do not use the SOCKS5 protocol in this project, we are not affected by this vulnerability, but we should still update to the latest anyways.

Conancenter does not yet have the latest version.

copperlight commented 11 months ago

There is an open PR to bump the libcurl version in Conancenter:

https://github.com/conan-io/conan-center-index/pull/19769

copperlight commented 3 months ago

Fixed with the following dependency update:

https://github.com/Netflix-Skunkworks/spectatord/pull/82